Submit a ticketCall us

Training Class Getting Started with SolarWinds Backup - February 28

This course offers customers an introduction to SolarWinds Backup, focusing on configuring the backup technology, taking backups, data restoration and data security. It is a great primer and will get you up to speed quickly on SolarWinds Backup.
Register for class.

Home > Success Center > Database Performance Analyzer (DPA) > Configure DPA to use a custom certificate for SSL/TLS using keytool

Configure DPA to use a custom certificate for SSL/TLS using keytool

Updated February 8, 2017


By default, DPA 9.2 and later automatically generates a self-signed certificate that is used to establish secure communication over HTTPS. This article describes how to replace the self-signed certificate with a custom certificate using keytool, a Java application.

SolarWinds allows you to configure custom certificates. However, SolarWinds Support does not provide configuration assistance. If you need assistance, please contact the vendor who provided your certificate.

Before you begin, you must contact your administrator to determine the certificates required for your environment.


  • DPA 9.2 and later


If you have a Java KeyStore (JKS) file from your administrator, you can rename it to .keystore and skip to step 2. SolarWinds recommends renaming the alias for the server certificate in the keystore file by running the following commands:

Description Command
List all certificates stored in keystore file keytool -list -v -keystore <YOUR_KEYSTORE_FILE>

Identify certificate for your DPA server and use its alias name as <OLD_ALIAS_NAME>

Rename certificate alias <OLD_ALIAS_NAME> to tomcat

keytool -changealias -alias "<OLD_ALIAS_NAME>" -destalias "tomcat" -keypass <CERTIFICATE_KEY_PASSWORD> -keystore <YOUR_KEYSTORE_FILE> -storepass <KEYSTORE_PASSWORD>

Default passwords are changeit.

If you do not have a JKS file from your administrator, follow these steps:

  1. Create a keystore containing the newly generated private/public key pair.
    keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore .keystore -storepass <KEYSTORE_PASSWORD> -keypass <CERTIFICATE_KEY_PASSWORD> -dname "CN=<HOST_NAME>,O=<ORGANISATION>,L=<LOCATION>,ST=<STATE>,C=<COUNTRY>"
    • You can choose the specific domain name ( or use a wildcard character (*
    • Default passwords are changeit.


  2. Generate a certificate-signing request.
    keytool -certreq -keyalg RSA -alias tomcat -keystore .keystore -file <DPA_CERT_REQUEST_FILE> -storepass <KEYSTORE_PASSWORD>
  3. Ask your certificate authority (CA) to sign your request file, <DPA_CERT_REQUEST_FILE>. You should then recieve the file containing a signed certificate from your CA.
  4. Get the files with the trusted certificate chain from your CA.
    • Ensure that every certificate of the chain is in separate file. A file containing more certificates is not supported.
    • Start from the root CA certificate and progress down the chain. Typically this means importing the root CA certificate and one or more intermediate certificates.
  5. Import certificates from the trusted chain into your keystore.
    keytool -import -alias <ALIAS> -keystore .keystore -trustcacerts -storepass <KEYSTORE_PASSWORD> -file <CERTIFICATE_CHAIN_FILE> 

    If you receive the following error message, ask your CA where to get these file.

    keytool error: java.lang.Exception: Input not an X.509 certificate => chain certificate has to be in separate files

  6. Import the signed certificate from your CA to your keystore.
    keytool -import -alias tomcat -keystore .keystore -storepass <KEYSTORE_PASSWORD> -file <DPA_SIGNED_CERT_FILE>
  7. Place the .keystore file into the <DPA-dir>/iwc/tomcat/conf/ directory.
  8. If you did not use the default password (changeit), edit the server.xml file and add these attributes to the tomcat connector:
  9. Restart the DPA server.


If your browser warns about an insecure connection, show the certificate information in your browser.


The requested host name does not match the certificate of the server.

Ensure that the certificate CommonName contains host name of the DPA server.


The keystore used for import must be the one that was used to generate the CSR.

Use the same keystore file (.keystore) in all steps.

Last modified